Subprocessor List — Find The Breach

📬 Subprocessor Change Notification

We provide 30 days' prior written notice before engaging any new subprocessor or materially changing an existing subprocessor's role. Customers on Enterprise plans receive email notifications and have a 14-day objection window as outlined in our Data Processing Agreement.

To receive notifications about sub-processor changes, subscribe to our sub-processor update list by emailing dpa@findthebreach.com with subject “Sub-Processor Updates Subscribe”. We will notify subscribers at least 30 days before engaging any new sub-processor, in accordance with our Data Processing Agreement.

Current Subprocessors

Subprocessor	Purpose	Location	Data Processed
Hetzner Online GmbH	Cloud infrastructure & hosting	🇩🇪 Germany (EU)	Scan results, user accounts, application data
Cloudflare, Inc.	CDN, DNS, DDoS protection	🇺🇸 USA (EU-US DPF)	IP addresses, HTTP request metadata
PostgreSQL (Self-Hosted)	Primary database	🇩🇪 Germany (EU)	All application data, user data, scan data
Brevo (Sendinblue)	Transactional email delivery	🇫🇷 France (EU)	Email addresses, notification content
NVD / NIST	CVE vulnerability data enrichment	🇺🇸 USA (Public Data)	CVE IDs only (no personal data)
FIRST.org (EPSS)	Exploit probability scoring	🇺🇸 USA (Public Data)	CVE IDs only (no personal data)
CISA (KEV Catalog)	Known Exploited Vulnerabilities	🇺🇸 USA (Public Data)	CVE IDs only (no personal data)

📋 Change Log

Added February 23, 2026

FIRST.org (EPSS) — Added for exploit probability scoring as part of Threat Intelligence Engine. No personal data processed.

Added February 23, 2026

CISA KEV Catalog — Added for Known Exploited Vulnerability cross-referencing. Public government data only.

Initial January 15, 2026

Initial subprocessor list published with Hetzner, Cloudflare, PostgreSQL, Brevo, and NVD.

Legal Framework

•GDPR Article 28: All subprocessors are bound by data processing agreements with equivalent data protection obligations.
•EU-US Data Privacy Framework: US-based subprocessors processing EU personal data are certified under the EU-US DPF or operate under Standard Contractual Clauses (SCCs).
•Transfer Impact Assessments: We conduct TIAs for all non-EU/EEA data transfers as documented in our DPA.
•Security Measures: All subprocessors implement appropriate technical and organizational measures as detailed in our Trust Center.

📄 Data Processing Agreement 🔒 Privacy Policy 🇪🇺 GDPR Compliance 📋 Processing Records 🛡️ Trust Center